https://bugs.kde.org/show_bug.cgi?id=519995

[email protected] changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|BACKTRACE                   |---
             Status|NEEDSINFO                   |REPORTED

--- Comment #5 from [email protected] ---
(In reply to apuebla from comment #4)
> (In reply to Harald Sitter from comment #2)
> > .
> 
> UPDATE: kmtpd.so / kiod6: sized deallocation mismatch (undefined behavior)
> aborts on hardened_malloc
> 
> System: Fedora 44 with KDE Plasma 26.04.2, KIO 6.27.0, Qt 6.11.1, kio-extras
> 26.04.2
> 
> Problem: Dolphin hangs indefinitely when opening an Android phone via MTP.
> 
> Investigation: The org.kde.kmtpd5 D-Bus service (provided by kiod6 loading
> kmtpd.so) crashes with SIGABRT in a loop. Dolphin's KIO workers then hang in
> KIO::ConnectionBackend::waitForIncomingTask with ms=-1 (infinite timeout),
> waiting on a socket for kmtpd5 that never responds.
> 
> Root cause: kmtpd.so triggers a sized deallocation mismatch (small) --
> undefined behavior in C++ memory management. This is caught by
> hardened_malloc (used by secureblue, GrapheneOS, and others) which correctly
> aborts. glibc's malloc silently tolerates the same bug.
> 
> Journal evidence:
> <pre>
> kiod6[PID]: fatal allocator error: sized deallocation mismatch (small)
> dbus-:[email protected]: Main process exited, code=dumped,
> status=6/ABRT
> </pre>
> 
> Dependencies verified: kio-extras 26.04.2, libmtp 1.1.22, kmtpd.so and
> mtp.so plugins present. No SELinux denials related to MTP.
> 
> Why this matters: This is not a distro-specific issue. It is undefined
> behavior that could cause silent memory corruption, use-after-free, or heap
> metadata corruption on standard glibc systems. The hardened allocator is
> simply exposing a bug that already exists.
> 
> Workaround: Running kiod6 with LD_PRELOAD= (disabling the hardened
> allocator) prevents the abort and allows MTP to function normally.
> 
> Reproduction: I can reproduce this consistently on a system with
> hardened_malloc enabled. I am happy to test patches or provide additional
> diagnostics.
> 
> Suggested fix: Audit kmtpd.so and its libmtp interaction for mismatched
> new/delete, malloc/free, or operator delete with incorrect size parameters.

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to